yadunut/clan-core
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

updating groups/machines/users keys now also update vars secrets

Browse Source
This commit is contained in:
Jörg Thalheim
2024-12-17 19:21:45 +01:00
parent 5893a53089
commit f2856cb773
5 changed files with 113 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
pkgs/clan-cli/clan_cli/secrets/groups.py
View File

@@ -20,7 +20,6 @@ from .folders import (
sops_secrets_folder,
sops_users_folder,
)
from .sops import update_keys
from .types import (
VALID_USER_NAME,
group_name_type,
@@ -97,15 +96,10 @@ def list_directory(directory: Path) -> str:
def update_group_keys(flake_dir: Path, group: str) -> list[Path]:
updated_paths = []
for secret_ in secrets.list_secrets(flake_dir):
secret = sops_secrets_folder(flake_dir) / secret_
if (secret / "groups" / group).is_symlink():
updated_paths += update_keys(
secret,
secrets.collect_keys_for_path(secret),
)
return updated_paths
def filter_group_secrets(secret: Path) -> bool:
return (secret / "groups" / group).is_symlink()
return secrets.update_secrets(flake_dir, filter_secrets=filter_group_secrets)
def add_member(
@@ -209,6 +203,21 @@ def add_secret(flake_dir: Path, group: str, name: str) -> None:
)
def get_groups(
flake_dir: Path,
type_name: str,
name: str,
) -> list[Path]:
groups_dir = sops_groups_folder(flake_dir)
groups = []
if groups_dir.exists():
for group in groups_dir.iterdir():
if group.is_dir() and (group / type_name / name).exists():
groups.append(group)
return groups
def add_secret_command(args: argparse.Namespace) -> None:
add_secret(args.flake.path, args.group, args.secret)

13
pkgs/clan-cli/clan_cli/secrets/machines.py
View File

@@ -17,24 +17,29 @@ from .folders import (
sops_machines_folder,
sops_secrets_folder,
)
from .groups import get_groups
from .secrets import update_secrets
from .sops import read_key, write_key
from .types import public_or_private_age_key_type, secret_name_type
def add_machine(flake_dir: Path, machine: str, pubkey: str, force: bool) -> None:
machine_path = sops_machines_folder(flake_dir) / machine
def add_machine(flake_dir: Path, name: str, pubkey: str, force: bool) -> None:
machine_path = sops_machines_folder(flake_dir) / name
write_key(machine_path, pubkey, sops.KeyType.AGE, overwrite=force)
paths = [machine_path]
groups = get_groups(flake_dir, "machines", name)
def filter_machine_secrets(secret: Path) -> bool:
return (secret / "machines" / machine).exists()
if (secret / "machines" / name).exists():
return True
return any(secret.joinpath("groups", group.name).exists() for group in groups)
paths.extend(update_secrets(flake_dir, filter_secrets=filter_machine_secrets))
commit_files(
paths,
flake_dir,
f"Add machine {machine} to secrets",
f"Add machine {name} to secrets",
)

47
pkgs/clan-cli/clan_cli/secrets/secrets.py
View File

@@ -1,4 +1,5 @@
import argparse
import functools
import getpass
import logging
import os
@@ -39,18 +40,52 @@ from .types import VALID_SECRET_NAME, secret_name_type
log = logging.getLogger(__name__)
def list_generators_secrets(generators_path: Path) -> list[Path]:
for generator_path in generators_path.iterdir():
if not generator_path.is_dir():
continue
def validate(generator_path: Path, name: str) -> bool:
return has_secret(generator_path / name)
paths = []
for obj in list_objects(
generator_path, functools.partial(validate, generator_path)
):
paths.append(generator_path / obj)
return paths
return []
def list_vars_secrets(flake_dir: Path) -> list[Path]:
secret_paths = []
shared_dir = flake_dir / "vars" / "shared"
if shared_dir.is_dir():
secret_paths.extend(list_generators_secrets(shared_dir))
machines_dir = flake_dir / "vars" / "per-machine"
if machines_dir.is_dir():
for machine_dir in machines_dir.iterdir():
if not machine_dir.is_dir():
continue
secret_paths.extend(list_generators_secrets(machine_dir))
return secret_paths
def update_secrets(
flake_dir: Path, filter_secrets: Callable[[Path], bool] = lambda _: True
) -> list[Path]:
changed_files = []
for name in list_secrets(flake_dir):
secret_path = sops_secrets_folder(flake_dir) / name
if not filter_secrets(secret_path):
secret_paths = [sops_secrets_folder(flake_dir) / s for s in list_secrets(flake_dir)]
secret_paths.extend(list_vars_secrets(flake_dir))
for path in secret_paths:
if not filter_secrets(path):
continue
changed_files.extend(
update_keys(
secret_path,
collect_keys_for_path(secret_path),
path,
collect_keys_for_path(path),
)
)
return changed_files
@@ -222,7 +257,7 @@ def allow_member(
) -> list[Path]:
source = source_folder / name
if not source.exists():
msg = f"Cannot encrypt {group_folder.parent.name} for '{name}' group. '{name}' group does not exist in {source_folder}: "
msg = f"Cannot encrypt {group_folder.parent.name} for '{name}'. '{name}' does not exist in {source_folder}: "
msg += list_directory(source_folder)
raise ClanError(msg)
group_folder.mkdir(parents=True, exist_ok=True)

15
pkgs/clan-cli/clan_cli/secrets/users.py
View File

@@ -8,7 +8,13 @@ from clan_cli.errors import ClanError
from clan_cli.git import commit_files
from . import secrets, sops
from .folders import list_objects, remove_object, sops_secrets_folder, sops_users_folder
from .folders import (
list_objects,
remove_object,
sops_secrets_folder,
sops_users_folder,
)
from .groups import get_groups
from .secrets import update_secrets
from .sops import read_key, write_key
from .types import (
@@ -28,11 +34,16 @@ def add_user(
) -> None:
path = sops_users_folder(flake_dir) / name
groups = get_groups(flake_dir, "users", name)
def filter_user_secrets(secret: Path) -> bool:
return secret.joinpath("users", name).exists()
if secret.joinpath("users", name).exists():
return True
return any(secret.joinpath("groups", group.name).exists() for group in groups)
write_key(path, key, key_type, overwrite=force)
paths = [path]
paths.extend(update_secrets(flake_dir, filter_secrets=filter_user_secrets))
commit_files(
paths,